Most people owning a PC are familiar with Microsoft's patching process - it's easy and it's there. For a lot of them, it also gives the impression that Microsoft's products are chock-full of flaws.

But, according to Stefan Frei, Research Analyst Director with Secunia, it's not the vulnerabilities in Microsoft's products we should worry about, but those in third-party software.

At the Infosecurity press event in London, Frei said that even though the number of discovered vulnerabilities has slightly decreased in the last two years, the worrying fact is that 84 percent of all those found in 2010 can be exploited from a remote location, and that 69 percent are tied to third-party products that may or may not have a quality patching mechanism in place.

The percentages reported are the result of Secunia's Annual Report for 2010, compiled by taking stock of the information gathered by their Personal Software Inspector - a tool designed to detect vulnerable and outdated programs and plug-ins.

According to this numbers, 55 percent of the end-point users have more than 66 programs from more than 22 vendors installed on their systems. Of the top 50 software used, 26 are developed by Microsoft, and the remaining 24 by 14 other vendors.

A simple equation can tell us how many opportunities a cyber criminal has: number of hosts x number of vulnerabilities = opportunity.

Currently, some 28 percent of the world's population - that's almost two billion people - have access to and use the Internet. From 2000 to 2010, the number of global users grew by 448 percent, and that certainly didn't go unnoticed by cyber criminals.

But, as the number of found vulnerabilities has decreased, the number of vulnerabilities affecting typical end-point computers has increased of about 71 percent. And third party programs are almost exclusively responsible for this trend, as 69 percent of the vulnerabilities are found in them.

So, one single patch mechanism covers 31 percent of the vulnerabilities found in the OS (Windows) and other Microsoft products, but 13 different update mechanisms are needed to patch the remaining 69 percent of vulnerabilities found in third-party software.

And when these patching update mechanisms are too complex, patches become virtually useless. It is no wonder, then, that the results proved that third party programs are less likely to be found fully patched.

According to Frei, patching is extremely important, but its importance is still not fully recognized and prioritized. "A patch provides better protection than a thousands of signatures, because it eliminates the root cause," he says. The problem is that most users still consider the OS and Microsoft products as primary attack vectors and ignore the patching of third-party software.

It turns out, then, that cybercriminals don't actually need to exploit vulnerabilities in Microsoft software, or even zero-day vulnerabilities - there are plenty of those in third-party software.

Wouldn't silent patching solve many of these problems, I asked. Frei said that he advocates default silent patching for inexperienced users, because he believes that those who know should help those who don't, but that experienced and knowledgeable users should be able to switch it off.

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.